1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-sysadm] [779] allow to use multiple group for the access with pam
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B779%5D%20allow%20to%20use%20multiple%20group%20for%20the%20access%0A%09with%20pam&In-Reply-To=%3C20110113181231.7F5B54237B%40valstar.mageia.org%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="002052.html">
<LINK REL="Next" HREF="002054.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-sysadm] [779] allow to use multiple group for the access with pam</H1>
<B>root at mageia.org</B>
<A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B779%5D%20allow%20to%20use%20multiple%20group%20for%20the%20access%0A%09with%20pam&In-Reply-To=%3C20110113181231.7F5B54237B%40valstar.mageia.org%3E"
TITLE="[Mageia-sysadm] [779] allow to use multiple group for the access with pam">root at mageia.org
</A><BR>
<I>Thu Jan 13 19:12:31 CET 2011</I>
<P><UL>
<LI>Previous message: <A HREF="002052.html">[Mageia-sysadm] [778] add a reverse proxy class
</A></li>
<LI>Next message: <A HREF="002054.html">[Mageia-sysadm] [780] move the type of access_class to deployment ( as this is tied to our group name )
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#2053">[ date ]</a>
<a href="thread.html#2053">[ thread ]</a>
<a href="subject.html#2053">[ subject ]</a>
<a href="author.html#2053">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Revision: 779
Author: misc
Date: 2011-01-13 19:12:31 +0100 (Thu, 13 Jan 2011)
Log Message:
-----------
allow to use multiple group for the access with pam
Modified Paths:
--------------
puppet/modules/pam/manifests/init.pp
puppet/modules/pam/templates/system-auth
Modified: puppet/modules/pam/manifests/init.pp
===================================================================
--- puppet/modules/pam/manifests/init.pp 2011-01-13 18:12:29 UTC (rev 778)
+++ puppet/modules/pam/manifests/init.pp 2011-01-13 18:12:31 UTC (rev 779)
@@ -43,13 +43,20 @@
content => template("pam/ldap.conf")
}
}
+
+ define multiple_ldap_access($access_classes) {
+ include base
+ }
- # beware , this two classes are exclusive
+ # beware , this two classes are exclusives
+ # if you need multiple group access, you need to define you own class
+ # of access
# for server where only admins can connect
class admin_access {
- $access_class = "admin"
- include base
+ multiple_ldap_access { "admin_access":
+ access_classes => ['mga-sysadmin']
+ }
}
# for server where people can connect with ssh ( git, svn )
@@ -59,8 +66,11 @@
# user, and erase the password ( see pam_auth.c in openssh code, seek badpw )
# so the file must exist
# permission to use svn, git, etc must be added separatly
+
include restrictshell::shell
- $access_class = "committers"
- include base
+
+ multiple_ldap_access { "committers_access":
+ access_classes => ['mga-commiters']
+ }
}
}
Modified: puppet/modules/pam/templates/system-auth
===================================================================
--- puppet/modules/pam/templates/system-auth 2011-01-13 18:12:29 UTC (rev 778)
+++ puppet/modules/pam/templates/system-auth 2011-01-13 18:12:31 UTC (rev 779)
@@ -9,13 +9,13 @@
account sufficient pam_localuser.so
-<%- if access_class == 'admin' -%>
-account required pam_succeed_if.so quiet user ingroup mga-sysadmin
+# not sure if the following bring something useful
+account required pam_ldap.so
+<%- if access_classes -%>
+<%- access_classes.each { |ldap_group| -%>
+account sufficient pam_succeed_if.so quiet user ingroup <%= ldap_group %>
+<%- } -%>
<%- end -%>
-<%- if access_class == 'committers' -%>
-account required pam_succeed_if.so quiet user ingroup mga-committers
-<%- end -%>
-account sufficient pam_ldap.so
account required pam_deny.so
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-sysadm/attachments/20110113/68ffbda3/attachment-0001.html>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="002052.html">[Mageia-sysadm] [778] add a reverse proxy class
</A></li>
<LI>Next message: <A HREF="002054.html">[Mageia-sysadm] [780] move the type of access_class to deployment ( as this is tied to our group name )
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#2053">[ date ]</a>
<a href="thread.html#2053">[ thread ]</a>
<a href="subject.html#2053">[ subject ]</a>
<a href="author.html#2053">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>
|
